Move or Clone a Policy Rule or Object to a Different Virtual System

On a firewall that has more than one virtual system (vsys), you can move or clone policy rules and objects to a different vsys or to the Shared location. Moving and cloning save you the effort of deleting, recreating, or renaming rules and objects. If the policy rule or object that you will move or clone from a vsys has references to objects in that vsys, move or clone the referenced objects also. If the references are to shared objects, you do not have to include those when moving or cloning. You can Use Global Find to Search the Firewall or Panorama Management Server for references.
When cloning multiple policy rules, the order by which you select the rules will determine the order they are copied to the device group. For example, if you have rules 1-4 and your selection order is 2-1-4-3, the device group where these rules will be cloned will display the rules in the same order you selected. However, you can reorganize the rules as you see fit once they have been successfully copied.
  1. Select the policy type (for example,
    Policy
    Security
    ) or object type (for example,
    Objects
    Addresses
    ).
  2. Select the
    Virtual System
    and select one or more policy rules or objects.
  3. Perform one of the following steps:
    • Select
      Move
      Move to other vsys
      (for policy rules).
    • Click
      Move
      (for objects).
    • Click
      Clone
      (for policy rules or objects).
  4. In the
    Destination
    drop-down, select the new virtual system or
    Shared
    .
  5. (
    Policy rules only
    ) Select the
    Rule order
    :
    • Move top
      (default)—The rule will come before all other rules.
    • Move bottom
      —The rule will come after all other rules.
    • Before rule
      —In the adjacent drop-down, select the rule that comes after the Selected Rules.
    • After rule
      —In the adjacent drop-down, select the rule that comes before the Selected Rules.
  6. The
    Error out on first detected error in validation
    check box is selected by default. The firewall stops performing the checks for the move or clone action when it finds the first error, and displays just this error. For example, if an error occurs when the
    Destination
    vsys doesn’t have an object that the policy rule you are moving references, the firewall will display the error and stop any further validation. When you move or clone multiple items at once, selecting this check box will allow you to find one error at a time and troubleshoot it. If you clear the check box, the firewall collects and displays a list of errors. If there are any errors in validation, the object is not moved or cloned until you fix all the errors.
  7. Click
    OK
    to start the error validation. If the firewall displays errors, fix them and retry the move or clone operation. If the firewall doesn’t find errors, the object is moved or cloned successfully. After the operation finishes, click
    Commit
    .

Related Documentation